1 files changed, 23 insertions, 30 deletions

diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5
index 67b7b69151c..12f4730b126 100644
--- a/sbin/isakmpd/isakmpd.conf.5
+++ b/sbin/isakmpd/isakmpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: isakmpd.conf.5,v 1.62 2001/12/21 11:41:50 mpech Exp $
+.\" $OpenBSD: isakmpd.conf.5,v 1.63 2002/03/01 15:25:17 ho Exp $
 .\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $
 .\"
 .\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist.  All rights reserved.
@@ -88,12 +88,19 @@ and transforms.
 .Pp
 For Main Mode:
 .Bd -filled -compact
-.Ar {DES,BLF,3DES,CAST}-{MD5,SHA}[-{DSS,RSA_SIG}]
+.Ar {DES,BLF,3DES,CAST}-{MD5,SHA}[-GRP{1,2,5}][-{DSS,RSA_SIG}]
 .Ed
 .Pp
 For Quick Mode:
 .Bd -filled -compact
-.Ar QM-{ESP,AH}[-TRP]-{DES,3DES,CAST,BLF,AES}[-{MD5,SHA,RIPEMD}][-PFS]-SUITE
+.Ar QM-{proto}[-TRP]-{cipher}[-{hash}][-PFS[-{group}]]-SUITE
+.Ed
+.Bd -literal
+  where
+    {proto}  is either ESP or AH
+    {cipher} is either DES, 3DES, CAST, BLF or AES
+    {hash}   is either MD5, SHA or RIPEMD
+    {group}  is either GRP1, GRP2 or GRP5
 .Ed
 .Pp
 Example 1: 3DES-SHA means; 3DES encryption, SHA hash, and authorization by
@@ -101,25 +108,16 @@ pre-shared keys.
 Example 2: QM-ESP-3DES-SHA-PFS-SUITE means; ESP protocol, 3DES encryption,
 SHA hash, and use Perfect Forward Security.
 .Pp
-There are two predefined lifetimes used.
-The Main Mode lifetime, named LIFE_MAIN_MODE, currently
-defaults to one hour (minimum 60 seconds, maximum 1 day).
-The Quick Mode lifetime, LIFE_QUICK_MODE,
-defaults to 20 minutes (minimum 60 seconds, maximum 1 day).
 .Pp
-In addition, the predefinitions include some default values for the special
-sections "General", and "X509-certificates".
-These values are presented in the example below.
+Unless explicitly stated with -GRP1, 2 or 5, transforms and PFS suites
+use DH group 2. There are currently no predefined ESP+AH Quick Mode suites. 
 .Pp
-Note that using the predefined section names imply some minor limitations.
-There are currently no predefined ESP+AH Quick Mode suites, and the
-Diffie-Hellman group description for Main Mode (and Quick Mode with PFS) is
-set to DH group 1 (MODP_768) when using MD5 hash, and DH group 2 (MODP_1024)
-when using SHA hash.
+The predefinitions include some default values for the special
+sections "General", and "X509-certificates". These default values are
+presented in the example below.
 .Pp
 All autogenerated values can be overridden by manual entries by using the
-same section and tag names in the configuration file.
-.Pp
+same section and tag names in the configuration file. 
 In particular, the default phase 1 (Main or Aggressive Mode) and phase 2
 (Quick Mode) lifetimes can be overridden by these tags under the "General"
 section;
@@ -129,6 +127,10 @@ section;
 Default-phase-1-lifetime=	3600,60:86400
 Default-phase-2-lifetime=	1200,60:86400
 .Ed
+.Pp
+The Main Mode lifetime currently defaults to one hour (minimum 60
+seconds, maximum 1 day). The Quick Mode lifetime defaults to 20
+minutes (minimum 60 seconds, maximum 1 day). 
 .\"XXX Following empty .Ss works around a nroff bug, we want the new line."
 .Ss
 .Pp
@@ -708,7 +710,7 @@ Private-key=		/etc/isakmpd/private/local.key
 ENCRYPTION_ALGORITHM=	DES_CBC
 HASH_ALGORITHM=		MD5
 AUTHENTICATION_METHOD=	PRE_SHARED
-GROUP_DESCRIPTION=	MODP_768
+GROUP_DESCRIPTION=	MODP_1024
 Life=			Default-phase-1-lifetime
 
 [DES-SHA]
@@ -880,7 +882,7 @@ Life=			Default-phase-2-lifetime
 [QM-ESP-DES-MD5-PFS-XF]
 TRANSFORM_ID=		DES
 ENCAPSULATION_MODE=	TUNNEL
-GROUP_DESCRIPTION=	MODP_768
+GROUP_DESCRIPTION=	MODP_1024
 AUTHENTICATION_ALGORITHM=	HMAC_MD5
 Life=			Default-phase-2-lifetime
 
@@ -943,7 +945,7 @@ Life=			Default-phase-2-lifetime
 [QM-AH-MD5-PFS-XF]
 TRANSFORM_ID=		MD5
 ENCAPSULATION_MODE=	TUNNEL
-GROUP_DESCRIPTION=	MODP_768
+GROUP_DESCRIPTION=	MODP_1024
 Life=			Default-phase-2-lifetime
 
 [Sample-Life-Time]
@@ -971,12 +973,3 @@ configuration files.
 .Xr keynote 4 ,
 .Xr isakmpd.policy 5 ,
 .Xr isakmpd 8
-.Sh BUGS
-The RFCs does not permit differing DH groups in the same proposal for
-aggressive and quick mode exchanges.
-As the predefined suites currently uses DH group 1 for MD5 suites and
-DH group 2 for SHA suites, combining a MD5 and a SHA suite in a proposal
-will cause the exchange to fail.
-.Pp
-The current recommended workaround is to either use MD5- or SHA-only
-suites, or to specify the suites manually.